Certificate Cloudflare Inc ECC CA-3 not valid anymore?

Answer these questions to help the Community help you with Security questions.

What is the domain name?

api.boks.app

Have you searched for an answer?

Yes, none found

When you tested your domain, what were the results?

I have extracted the Cloudflare Inc ECC CA-3 certificate as PEM and embedded it into an IoT device.

Describe the issue you are having:

Since a week ago, devices cannot connect to api.boks.app, it worked fine for years until last week.
Certificate Cloudflare Inc ECC CA-3 was supposed to be valid until December 31, 2024

What error message or number are you receiving?

mbedtls_ssl_handshake returned -0x2700

What are the steps to reproduce the error:

gnutls-cli api.boks.app --x509cafile <pem_file_ECC_CA-3>

Cloudflare is phasing out DigiCert certificates. The site you mentioned is using a Google Trust Services certificate for a bit more than a week now:

Certificate chain
 0 s:CN = boks.app
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 24 23:48:24 2024 GMT; NotAfter: Jun 23 00:47:06 2024 GMT
1 Like

Well, I was under the impression that “valid until December 31, 2024” meant that it would be still valid

It is valid. But the site doesn’t have a DigiCert certificate, so it’s not being used.

1 Like

It is managed by Cloudflare, I didn’t change anything. Can you re-add a DigiCert certificate ?

No, Cloudflare doesn’t use DigiCert anymore.

1 Like

Well then the “valid until December 31, 2024” is very misleading, I guess all my IoT devices are broken now …

All certificates for your domain should be listed here…

The last Cloudflare branded DigiCert certificate is this one…

…which expires on 24 April 2024, so it has been replaced as expected approximately one month before expiry.

It is the Issuer CA that expires 31 December 2024…

2 Likes

In addition to what @sjr said:
The Cloudflare branded DigiCert certificates had a validity of one year. So they obviously can’t be renewed if the CA is within one year of expiration, but must be phased out a year before that.

But for the future, you should really have a self-signed root certificate in your device’s trust store. That way, you can always update your devices by issuing a certificate yourself.

Depending on how important it is for you to update these devices, you could contact Cloudflare Sales and see if it is possible to reinstate the certificate that expires April 24th. However, you should expect such a custom solution to be quite expensive, and only possible if they still have the certificate.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.